VCSA-70-000123 - The vCenter Server must provide an immediate real-time alert to the system administrator (SA) and information system security officer (ISSO), at a minimum, on every Single Sign-On (SSO) account action.

Information

Once an attacker establishes initial access to a system, they often attempt to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to create a new account. They may also try to hijack an existing account by changing a password or enabling a previously disabled account. Therefore, all actions performed on accounts in the SSO domain much be alerted on in vCenter at a minimum and ideally on a Security Information and Event Management (SIEM) system as well.

To ensure the appropriate personnel are alerted about SSO account actions, create a new vCenter alarm for the 'com.vmware.sso.PrincipalManagement' event ID and configure the alert mechanisms appropriately.

Satisfies: SRG-APP-000291, SRG-APP-000292, SRG-APP-000293, SRG-APP-000294, SRG-APP-000320

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

From the vSphere Client, go to Host and Clusters.

Select a vCenter Server >> Configure >> Security >> Alarm Definitions.

Click 'Add'.

Provide the alarm name of 'SSO account actions - com.vmware.sso.PrincipalManagement' and an optional description.

From the 'Target type' drop-down menu, select 'vCenter Server'.

Click 'Next'.

Paste 'com.vmware.sso.PrincipalManagement' (without quotes) in the line after 'IF' and press 'Enter'.

Next to 'Trigger the alarm and', select 'Show as Warning'.

Configure the desired notification actions that will inform the SA and ISSO of the event.

Click 'Next'. Click 'Next' again. Click 'Create'.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_VMW_vSphere_7-0_Y24M01_STIG.zip

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-2(4), CAT|II, CCI|CCI-001683, CCI|CCI-001684, CCI|CCI-001685, CCI|CCI-001686, CCI|CCI-002132, Rule-ID|SV-256337r885622_rule, STIG-ID|VCSA-70-000123, Vuln-ID|V-256337

Plugin: VMware

Control ID: 443f66399f80e185df752434d887f6aef463d2b3bacf3d2297da51c125a3a4b8